Technology is the lifeblood of financial services today, with platforms designed for sharing data acting as the circulatory system linking insurers internally as well as externally with customers. While the Internet and mobile access and cloud computing among others are seen as the standard by most consumers, they also offer irresistible targets for bad actors with various motivations — from larceny to political protest to industrial espionage and everything in between.
So I thought it was time to check in to see the current state of cybersecurity. I listened to a recent presentation by my Deloitte colleagues Jim Eckenrode and Adam Thomas to find out, and what they had to say raised both concern and hope. In this blog, I’ll share with you some of what they told me.
The financial services industry was the most targeted of 26 different industries by cyber criminals, according to
Who are the bad guys?
How are the bad guys doing? An analysis by Verizon Risk and Deloitte’s Center for Financial Services found that 88 percent of cyber attacks against financial services firms were successful in less than a day, but only 21 percent of the firms were able to discover these attacks in less than a day, and just 40 percent could restore service in less than a day.
The bad guys are winning, primarily because they can keep one step ahead by deploying a wider array of attack methods.
In
That’s a scary number, but completely understandable. The cyber threat landscape is constantly evolving, and cybersecurity must transform itself to keep pace. The basis of this new approach is easy to understand. An effective cybersecurity strategy includes three legs: security, vigilance and resilience.
The “secure” part of this cyber strategy is aimed at keeping intruders out, both by using risk-prioritized controls and by working with others in industry and cybersecurity to establish and comply with standards and regulations. Vigilance is aimed at detecting intruders when they do get in, as they often will, no matter what. Resilience is about repairing damage and returning quickly to normal operations.
My colleagues have
- Is your strategy executive-driven with clear accountability? Senior leadership may be necessary to cut across silos and functions and ensure true enterprise risk management — in other words, to make cyber risk strategy an integral part of the core company strategy.
- Do you have a dedicated cyber threat management unit? Such a unit can help break down the silos between IT and businesses, and enable a dynamic, intelligence-driven approach to cyber security.
- Is there a focused effort on automation and analytics? This could drastically increase the ability to identify anomalous behavior and risk patterns, among other positives.
- Has the “people” link in your defense chain been strengthened? No matter how good your cyber defense, one careless employee can negate it. Boring trainings may get the facts across, but not their importance. It might be worthwhile to consider a more “human-centric” approach while delivering this training in a way that considers user experience and at the same time is informative.
- Do you work with others outside the company against common threats and enemies? Industry associations, law enforcement, homeland security and others like service providers, consultants and lawyers can all help with information sharing and reducing the risk to individual organizations.
The one thing we know for sure is that the bad guys will not go away. We have to do all we can to be ready for them.
Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.
Readers are encouraged to respond to Howard using the “Add Your Comments” box below.
The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
